Cisco Support Community
Community Member

How do access lists log packets...?

I have an access list (101) applied to fa0/0 like this...

access-list 101 permit tcp host host log

access-list 101 permit tcp host host log


int fa0/0

access-group 101 in

I have an almost identical access list (103) applied to s0/0 in the same manner, but "out" instead of "in" .

I want to see packets that match that particular rule travelling

a. In to the fa0/0 interface, and

b. out the s0/0 interface

Thus far I can see the packets coming in, but nothing else

Mar 10 11:32:45 AEST: %SEC-6-IPACCESSLOGP: list 102 permitted tcp ->, 2 packets

I don't see any packets going out the serial interface and I never see any packets coming back. Does IOS log a hit on each interface or only the first match?

I can establish a connection to the destination server successfully from the router by telnetting it's open port.

Any ides?

Community Member

Re: How do access lists log packets...?


ACL logging is rate limited. i.e every packet which matches same ACE in the given ACL will not be logged. by defdault the first hit and then on it is updated once in 5minute interval. I mean if you have traffic matching the same ACE in the ACL for 10 minute long, you wont find more than 3 log messages in the logging destination. You can find the number of packets matched this ACE at 5 minites interval. The counter resets in every 5 minutes.

You can control the interval to send the log with the "ip access-list log-update " comamnd, you can set the number of packets here. If you apply below command, you can log each and every hit to logging destination (Be careful about CPU usage here)

ip access-list log-update threshold 1


CreatePlease to create content